panther-labs · akozlovets098 · Dec 8, 2023 · Dec 7, 2023 · egibs · Dec 8, 2023
@@ -6,6 +6,7 @@ Filename: abnormally_high_event_volume.py
 Reports:
     MITRE ATT&CK:
         - TA0040:T1499
+Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
 Severity: Medium
 Tests:
     - ExpectedResult: false

@@ -8,6 +8,7 @@ Reports:
         - TA0040:T1486
         - TA0040:T1565
 Runbook: Verify this action was intended and if any EBS volumes were created after the change.
+Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default
 Severity: Medium
 Tests:
     - ExpectedResult: true

@@ -17,7 +17,7 @@ Reports:
 Severity: Info
 Description: An EC2 Network Gateway was modified.
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-gateway-modified
-Reference: reference.link
+Reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
 SummaryAttributes:
   - eventName
   - userAgent

@@ -17,6 +17,7 @@ Severity: Medium
 Description: >
   An EC2 security group was manually updated without abiding by the organization's accepted processes. This rule expects organizations to either use the Console, CloudFormation, or Terraform, configurable in the rule's ALLOWED_USER_AGENTS.
 Runbook: Identify the actor who changed the security group and validate it was legitimate
+Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html
 Tests:
   -
     Name: AWS Console - Ingress SG Authorization

@@ -7,6 +7,7 @@ Reports:
     MITRE ATT&CK:
         - TA0002:T1204
 Runbook: Verify that the action was not taken by a malicious actor.
+Reference: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2imagebuilder.html#amazonec2imagebuilder-actions-as-permissions
 Severity: Info
 Tags:
     - ec2

@@ -17,7 +17,7 @@ Reports:
 Severity: Info
 Description: An EC2 Network ACL was modified.
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-network-acl-modified
-Reference: reference.link
+Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-tasks
 SummaryAttributes:
   - eventName
   - userAgent

@@ -16,7 +16,7 @@ Reports:
 Severity: Info
 Description: An EC2 Route Table was modified.
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-route-table-modified
-Reference: reference.link
+Reference: https://docs.aws.amazon.com/vpc/latest/userguide/WorkWithRouteTables.html
 SummaryAttributes:
   - eventName
   - userAgent

@@ -19,7 +19,7 @@ DedupPeriodMinutes: 720 # 12 hours
 Description: >
   An EC2 Security Group was modified.
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-securitygroup-modified
-Reference: reference.link
+Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html
 SummaryAttributes:
   - eventName
   - userAgent

@@ -6,6 +6,7 @@ Filename: aws_ec2_startup_script_change.py
 Reports:
     MITRE ATT&CK:
         - TA0002:T1059
+Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-shell-scripts
 Severity: High
 Tests:
     - ExpectedResult: false

@@ -18,7 +18,7 @@ Severity: Info
 DedupPeriodMinutes: 720 # 12 hours
 Description: An EC2 VPC was modified.
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-vpc-modified
-Reference: reference.link
+Reference: https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html
 SummaryAttributes:
   - eventName
   - userAgent

@@ -16,7 +16,7 @@ Reports:
 Severity: High
 Description: Unauthorized ECR Create, Read, Update, or Delete event occurred.
 Runbook: https://docs.aws.amazon.com/AmazonECR/latest/userguide/logging-using-cloudtrail.html
-Reference: reference.link
+Reference: https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.html#security_iam_authentication
 SummaryAttributes:
   - eventSource
   - eventName

@@ -14,7 +14,7 @@ Reports:
 Severity: High
 Description: An ECR event occurred outside of an expected account or region
 Runbook: https://docs.aws.amazon.com/AmazonECR/latest/userguide/logging-using-cloudtrail.html
-Reference: reference.link
+Reference: https://aws.amazon.com/blogs/containers/amazon-ecr-in-multi-account-and-multi-region-architectures/
 SummaryAttributes:
   - eventSource
   - recipientAccountId

@@ -18,7 +18,7 @@ Description: >
   A user assumed a role that was explicitly blocklisted for manual user assumption.
 Runbook: >
   Verify that this was an approved assume role action. If not, consider revoking the access immediately and updating the AssumeRolePolicyDocument to prevent this from happening again.
-Reference: reference.link
+Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
 SummaryAttributes:
   - userAgent
   - sourceIpAddress

@@ -18,7 +18,7 @@ Description: >
   An IAM Entity (Group, Policy, Role, or User) was created manually. IAM entities should be created in code to ensure that permissions are tracked and managed correctly.
 Runbook: >
   Verify whether IAM entity needs to exist. If so, re-create it in an appropriate CloudFormation, Terraform, or other template. Delete the original manually created entity.
-Reference: reference.link
+Reference: https://blog.awsfundamentals.com/aws-iam-roles-with-aws-cloudformation
 SummaryAttributes:
   - userAgent
   - sourceIpAddress

@@ -9,6 +9,7 @@ Reports:
         - TA0005:T1108
         - TA0005:T1550
         - TA0008:T1550
+Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
 Severity: Medium
 Tests:
     - ExpectedResult: false

@@ -6,6 +6,7 @@ Filename: aws_ipset_modified.py
 Reports:
     MITRE ATT&CK:
         - TA0005:T1562
+Reference: https://docs.aws.amazon.com/managedservices/latest/ctref/management-monitoring-guardduty-ip-set-update-review-required.html
 Severity: High
 Tests:
     - ExpectedResult: true

@@ -14,7 +14,7 @@ Tags:
 Severity: High
 Description: A users static AWS API key was uploaded to a public github repo.
 Runbook: Determine the key owner, disable/delete key, and delete the user to resolve the AWS case. If user needs a new IAM give them a stern talking to first.
-Reference: N/A
+Reference: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning
 Tests:
   -
     Name: An AWS Access Key was Uploaded to Github

@@ -16,7 +16,7 @@ Reports:
 Severity: High
 Description: Unauthorized lambda Create, Read, Update, or Delete event occurred.
 Runbook: https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html
-Reference: reference.link
+Reference: https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html
 SummaryAttributes:
   - eventSource
   - eventName

@@ -16,7 +16,7 @@ Description: >
   A Network ACL entry that allows access from anywhere was added.
 Runbook: >
   Remove the overly permissive Network ACL entry and add a new entry with more restrictive permissions.
-Reference: reference.link
+Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-rules
 SummaryAttributes:
   - userAgent
   - sourceIpAddress

@@ -3,6 +3,7 @@ Description: A sensitive database operation that should be performed carefully o
 DisplayName: "AWS RDS Master Password Updated"
 Enabled: true
 Filename: aws_rds_master_pass_updated.py
+Reference: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
 Severity: Low
 DedupPeriodMinutes: 60
 Reports:

@@ -6,6 +6,7 @@ Filename: aws_rds_publicrestore.py
 Reports:
     MITRE ATT&CK:
         - TA0010:T1020
+Reference: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromSnapshot.html
 Severity: High
 Tests:
     - ExpectedResult: false

@@ -16,7 +16,7 @@ Description: >
   Some AWS resource was made publicly accessible over the internet.
   Checks ECR, Elasticsearch, KMS, S3, S3 Glacier, SNS, SQS, and Secrets Manager.
 Runbook: Adjust the policy so that the resource is no longer publicly accessible
-Reference: reference.link
+Reference: https://aws.amazon.com/blogs/security/identifying-publicly-accessible-resources-with-amazon-vpc-network-access-analyzer/
 SummaryAttributes:
   - userAgent
   - sourceIpAddress

@@ -16,7 +16,7 @@ Reports:
 Description: Deprecated. Please see AWS.Console.RootLogin instead.
 Runbook: >
   Verify that the root login was authorized. If not, investigate the root activity and ensure no malicious activity was performed. Change the root password.
-Reference: reference.link
+Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
 SummaryAttributes:
   - eventSource
   - userAgent

@@ -3,6 +3,7 @@ Description: Identifies when SAML activity has occurred in AWS. An adversary cou
 DisplayName: "AWS SAML Activity"
 Enabled: true
 Filename: aws_saml_activity.py
+Reference: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html
 Severity: Medium
 Tests:
     - ExpectedResult: true

@@ -15,7 +15,7 @@ Reports:
 Description: An account wide security configuration was changed.
 Runbook: >
   Verify that this change was planned. If not, revert the change and update the access control policies to ensure this doesn't happen again.
-Reference: reference.link
+Reference: https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-startup-security-baseline/controls-acct.html
 SummaryAttributes:
   - eventName
   - userAgent

@@ -6,6 +6,7 @@ Filename: aws_securityhub_finding_evasion.py
 Reports:
     MITRE ATT&CK:
         - TA0005:T1562
+Reference: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-insights-view-take-action.html
 Severity: High
 Tests:
     - ExpectedResult: false

@@ -6,6 +6,7 @@ Filename: aws_snapshot_backup_exfiltration.py
 Reports:
     MITRE ATT&CK:
         - TA0010:T1537
+Reference: https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/ec2-backup.html
 Severity: Medium
 Tests:
     - ExpectedResult: true

@@ -14,7 +14,7 @@ Reports:
 Severity: Medium
 Description: An AWS storage snapshot was made public.
 Runbook: Adjust the snapshot configuration so that it is no longer public.
-Reference: reference.link
+Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
 SummaryAttributes:
   - userAgent
   - sourceIpAddress

@@ -9,6 +9,7 @@ Reports:
         - TA0005:T1108
         - TA0005:T1550
         - TA0008:T1550
+Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage-pass-accesskeys-ssh.html
 Severity: High
 Tests:
     - ExpectedResult: false